Confirmed that as of 3.0 stored procedures for inputs was not supported, only for queries. This is because there is no way to stream variables into an input, so the only type of stored procedure that would theoretically work for an input is a variable-less batch or a simple rising column (as shown here). Clever hack, but not supported to my knowledge. ... View more

the pipeline is database > dbx java server > HEC > indexers. HEC is throwing that error because it can't parse the data. Usually this comes from date strings that aren't dates or non-ASCII stuff. I don't see anything immediately wrong in that data sample but I haven't looked closely. ... View more

that is not currently possible. However, you might enjoy this article: http://my2ndhead.blogspot.com/2017/07/heating-up-data-pipeline-part-1.html ... View more

On the HWF, DBX Input > Java Server > JDBC > RDBMS On the HWF, Java Server > Local HEC > Indexer pipeline (https://www.splunk.com/blog/2016/12/12/universal-or-heavy-that-is-the-question.html) On the Indexers, Indexer pipeline > Disks ... View more

sounds like HEC performance, which usually means indexer pushback. Look at your indexing queues. ... View more

On Winders >"%PROGRAMFILES%\Splunk\bin\splunk.exe" cmd python -c "import os; print(os.environ)" On Nix $ $SPLUNK_HOME/bin/splunk cmd python -c "import os; print(os.environ)" Should show you what Splunk's going to see for an environment variable. If that doesn't have the correct Java home then you'll have to use DB Connect's setup page to override with the one you want it to use. Also note that it is picky and you must have the full JDK from Oracle, version 8. Not Hotspot, not JRE, not OpenJDK, not IBM, &c, &c. ... View more

The biggest thing I see people struggle with when they first meet CIM is that it's about events, not data types. What matters in CIM is "ACTOR did THING with RESULT". That can be very simple in something like proxy data ("User went to website successfully", over and over) or it can be more complex in a data source with many types of events. ... View more

More than one level is assumed, no one really has a flat organization. It doesn't make any difference to my advice. Missing data is also normal, but not your problem. In fact your dashboard might even inspire people to start fixing the source data. ... View more

do groups behave similarly? Can you make a model for each group? ... View more

a view is totally the best way to solve the problem for all the reasons Rich mentions. However, if you can't... I bet that this comes down to column name resolution. Try specifying all column names as completely as possible and see if it goes away. ... View more

I expect that means that each host is a different context with different data and needs a different linear regression. If they were all the same then the model of one's past would predict future for all the others. Since your results show that isn't true... ... View more

this is a recursion problem, and because it's unclear how many levels you'll need to go to, you should do it in two steps. index the data with a simple dbinput use a dbxlookup to figure out bosses for whoever shows up on the dashboard when you look at the data ... View more

Hi, Extreme Search is used to help you answer qualitative questions like "is the amount of critical malware normal?" George Starcher wrote an excellent introduction to it here: http://www.georgestarcher.com/splunk-getting-extreme-part-one/ The version in Enterprise Security is pretty old, and IIRC the visualizations it ships are broken; you might want to download this to get a better feel for what it can do: https://splunkbase.splunk.com/app/2855/#/details At the end of the day, it's step one in a sequence... see https://www.scianta.com/xvcs for the latest tech. ... View more

if you can create an input successfully but it then can't run, there's two possibilities I can think of: You're running in a different Splunk context than you created the input in and can't access the DB Connect artifacts needed The database is returning something different in production than it returned in testing, causing DB Connect or Splunk to reject the data instead of indexing it. ... View more

2018-01-23 11:20:52.418 +1100 [QuartzScheduler_Worker-6] ERROR org.easybatch.core.job.BatchJob - Unable to open record reader looks like it's unable to communicate with the database -- did you follow djackson's instructions on this page? If so, I would check database permissions for the service account you've selected. ... View more

that's correct -- there is an app on Splunkbase that helps you use XS, called Extreme Search Visualization: https://splunkbase.splunk.com/app/2855/ ... View more

Hi GF, context not getting updated is definitely concerning. If it's XS crashing, then we need to know and fix it, so if you're getting core dumps please open a support ticket and reference Extreme Search. If it's Splunk having to bail out and skip those searches, who knows what else is skipping. On ES that could mean time windows not being reviewed for whatever the correlation searches look for, which is potentially getting into due diligence and compliance stuff. I do think that the question being asked here (do we have unusual traffic on this port) is a little questionable... in a lab you might see lots of activity in 1-1024 and a handful of apps (games, IM, fileshare, VOIP and videoconference) up in the high ports, but on a production network with thousands of real people using the real internet there's going to be a lot of churn as fashions change and apps evolve. Regardless of how it's implemented, an ML test is depending on the past predicting the future; as you're seeing, the data on a given high port is pretty erratic and doesn't really make a good prediction. It would probably be more interesting to ask if the data for a port is changing from erratic to stable or from stable to erratic... maybe instead of count of connections or bytes, something like "my data| fields bytes port action | fieldsummary | stats max(stdev) by port"?? ... View more

What Mike said 🙂 This is likely to be a false positive from a short training window; however, extending the training window can produce false negatives as well (see holiday problem discussion in this deck: http://www.scianta.com/docs/Coates_MLtoCC_Talk_2017.pdf ) Mike's suggestion uses weighting on the updates to try and smooth out that effect. Here's the XSV app suggested: https://splunkbase.splunk.com/app/2855/ And for luck, here's George Starcher's excellent series on using XS: http://www.georgestarcher.com/tag/extreme-search/ ... View more

It's a batch input, not a stream, so you can't really do what you're describing at all. If you want streaming behavior the source has to support that also, and DBX's Java layer would need to be modified. yes, there would be performance implications of batching very quickly. You want to consider how rapidly the data you want arrives in the database, and how long it takes the database to respond to your query. Then set execution time to be a little slower than that. This is a balancing act for batch jobs because the longer you wait the more rows there are to return, but if you go too fast your connection setup is going to be more expensive than your data movement. ... View more

either that or arrange for the files to be somewhere that splunk can read them ... View more

the add-on has two types of inputs -- preconfigured DB Connect based inputs which you have to activate through the add-on's setup, and file monitors which you have just shown. DB Connect does not have to run locally to the database. ... View more

That error says that an input in the MySQL add-on is trying to use Splunk's REST endpoint and doesn't have permissions. Most likely this is happening when the add-on tries to enable its preconfigured inputs. make sure your DB Connect can talk to the MySQL database, maybe index a small table into a test index to be sure everything really works. check permissions all around. Make sure DB Connect and the add-on have global scope, make sure you're in the DBX admin role. The docs advice for checking that you've got data is potentially misleading; a sourcetype search won't help if the input is writing into an index that your user doesn't search by default. For instance: your input successfully writes data into index=foo, but your role is only searching index=bar by default. Pasting the search from the docs will get no results, but index=foo sourcetype=mysql:* will work. ... View more

Nice! That looks cool. ... View more

It depends what you want. Say you've got a reference number... that's fairly easy to collect from the user and pass to something like index=intlsales sourcetype=intlsales_transaction reference_number=$input$ | transaction reference_number or index=intlsales sourcetype=intlsales_transaction reference_number=$input$ | stats count by action to get a table like action count transaction 1 transfer_money 1 verify_acct_success 1 verify_inv_success 1 To then turn that into a beautiful graphic is another more complicated job; you might look at the dashboard examples app or splunkbase, but to keep it simple I would just put it in a table and maybe eval some values that would make the table color up properly when told to heat map. To make alerting decisions based on anomalies in that transactional is a lot harder; we make commercial software that does that. ... View more

@nickhillscpl is correct -- it should continue to function on free, but configuring it will take at least eval licensing because you need authentication capabilities. ... View more